Vulnerability Management:
Each year brings with it thousand of new computer security vulnerabilities that require management. The graph below reflects the number of increased threats reported month by month over the last year. Clearly, the graph shows that every month brings with it an additional 500-1000 new vulnerabilities, or 20 to 30 new threats per day. Not every financial institution is exposed to every one of these new threats. However it's incumbent on the institution's management to assess the magnitude of each threat and deal appropriately and programmatically with those posing risks to the institution. While some of the risks may be trivial, often a single exploited vulnerability can cause catastrophic problems. Prioritizing the huge volume of threats is no trivial challenge for vulnerability management.
New Vulnerabilities per month in 2006
When considering the protection of a business system from data security threats, one will typically rely on systems such as Firewalls and Intrusion Detection/Prevention systems (IDS/IPS). Collectively, we consider these systems Intrusion Defense Systems, throughout the paper. While these systems are a critical and necessary component of a defensive strategy they have limitations.
The most critical shortcoming of an Intrusion Defense Systems is that it is limited to protection against known or recognizable threats. The function of Intrusion Defense Systems is to leverage the firewall to limit traffic to needed channels such as mail traffic and web traffic. With the traffic cut down to only the necessary channels, it is then monitored by the IDS/IPS function with a signature base of conditions. As defined by the security experts at the SANS institute, a "signature" is "a distinct pattern in network traffic that can be identified to a specific tool or exploit."
A signature is looking for a "distinct pattern" from a known "tool or exploit." Said another way, Intrusion Defense and vulnerability management can be thought of as a "Known Issue Defensive Tactic" -a system that defends against pre-specified patterns or threats. The firewall can deliver or block traffic based on "header" information, similar to the address information on an envelope while the IDS/IPS opens the "letter" (data packet), and analyzes the "content" (payload) based on a well-known list of attack patterns.
Definitions
To understand known vs. unknown threats, a few definitions need to be understood:,
- Firewall Communication Channel/Protocol - A firewall allows communications channels between devices or networks on either side of the device. These communications channels can only define the protocol (mail, web, etc.) and where the traffic channel is coming from or going to. Traffic on the mail channel, for example, is allowed from anywhere on the Internet to a mail server at a specified location. As you can see there is no discussion of "good" vs. "bad" mail, since the communication channel does not analyze the traffic at a "deep packet" level. In other words, the firewall communication does not analyze the payload (contents of the email) for malicious code.
- Vulnerability - A vulnerability is a weakness or bug in a hardware system or software application that allows for potential exploitation. Internet Explorer vulnerabilities that allow for the browser to be exploited to run other applications may permit an attacker to do anything from capturing keystrokes to taking full remote control of the compromised system. The vulnerability is strictly the existence of a potential problem, not the exploitation of it. A vulnerability COULD be exploited in thousands of ways that are all unknown, but is typically exploited in only a handful of them. It is also critical to understand that there are thousands of new vulnerabilities discovered every year yet most security professionals doubt that a majority of existing vulnerabilities are ever discovered. These vulnerabilities can be managed.
